GridNet2 Report

advertisement
GridNet2 Report
Mike Jones, The University of Manchester
This is a consolidated report covering the GridNet2 activities for Mike Jones, GridNet2 ID 109, for the period February 2006 to date.
Report of activities at GGF16 2006 – Athens
GGF16 Athens is my first GGF meeting for some time the main purposes of my attending this meeting are: to Attend the Grid­Shib Investigators meetings as I am currently involved in a project to help the NGS to leverage Shibboleth and to field Authentication Authorisation issues relating to NGS within the Grid Interoperability Now sessions and to reengage in the community.
Parallel Sessions attended:
● GIN Meetings
● OGSA AuthZ
● Grid and Shib: Investigators meetings
● IGTF
● CA­OPS ­­ OSCP, Revocation of proxies, Namespace constraints
● Ad Hoc BoF on Grid applications of virtualisation technologies
● Interoperability Fests
● Grid Authorization ­ Interoperability Here & Now
I presented work on SHEBANGS and also the integration of Shibboleth into GridSite at the Grid and Shib meetings. SHEBANGS was well received although the general impression was that it was quite complex due to the attempt to explain the technical aspects of the architecture – something I followed up with those who raised questions during the meeting.
The takeaway information was that SAML 2.0 has new features such as Single Logout, Attribute Encryption and the Enhanced Client or Proxy. we should expect a final release of Shibboleth 2.0 by the end of Summer 2006. Autograph provides dynamic configuration of Shibboleth attribute release. Work is in progress to Shibbolize MyProxy and allow it to run as an on­line CA. Most projects are addressing the AA in the SOA space.
Overall the UK was well represented contributing more than half of the presentations.
In the GIN meetings volunteers were sought from the different grids. The NGS was put forward as a contributer and I was volunteered to represent NGS on matters relating to Authentication and Authorisation.
The rest of the sessions I attended as a tourist.
Report of activities at GGF17 2006 – Tokyo
There was no grid­Shibboleth session at the GGF. I attended sessions focused on Authentication and Authorisation.
Parallel Sessions Attended:
● OGSA AuthZ New Protocols
● GT4 Status & Experiences, Applications and Deployments
● Security Area session
● GIN Progress and Plans
● Firewall Issues Research Group ● CAOPS Session
● Teragrid Security: Managing security across a grid – (Interesting session especially the handling of the compromise on the TG.)
● Workshop on Data Access and Integration – (tourism)
Most contributions were outside the scope of formal meetings: informal discussions and networking on the topics of Identity management and grid security.
I attended the Firewall Issues Research Group where I suggested the addition of AccessGrid as a example of UDP and multicast network traffic for the Firewall Issues Document I also asked for the document to include the affects of source IP filtering and suggested that a section on Network Address Translation be added to highlight the plight of compute resources whose batch nodes are either firewalls of not connected to the WAN. All three suggestions were embraced and published in GFD­83.
Report of activities at GGF18 – Washington
The main purpose of my attendence to this GGF was to attend the four part grid­Shibboleth experiences workshop.
Parallel sessions attended:
● Shibboleth for Grids: Experiences and Interoperability
● OGF101
● CAOPS
● OGSA AuthZ WG ● International Grid Trust Federation
●
●
●
FI­RG (FI­RG)
Aggregating Mobile Devices with Grids
Topics in Identity Management
Most of this GGF meeting was taken up by Shibboleth activities. I presented the current status of SHEBANGS highlighting the problems regarding identity credential namespace, the method by which the Levels of Assurance (LoA) is conveyed and some experiences with the configuration of Shibboleth.
Of particular note were the developments of Shibboleth 2.0 (still not released) which appear to remove the WAYF from the federation. Most of the inner workings will be majorly different to the Shibboleth 1.3 architecture in order to embrace IdP discovery and single sign­out. David Chadwick presented what looks to be a useful policy editing application that allows service providers to express complex policies in natural language using XLST transforms.
CA­OPS: Two documents were discussed: "Guidelines for Authentication Service Profiles for Grids" and the “Grid Certificate Profile”. There was a long quite heated discussion about what a federation means within this group, identity management groups, the wider grid community and the on­line community in general. The need for a glossary document was suggested. Notes on OGF 19 – Chapel Hill
(I was funded by the SHEBANGS project for this OGF – but have included this report for continuity).
Parallel sessions attended:
● OGSA­Authz­WG
● OGSA security session
● Software Forum ­ Condor Scheduling system
● Security Area Meeting
● Federated Identity
● Standard's All­Hands: Integrating the Work of OGF
● Software Forum ­ SRB data Grid infrastructure
● Levels of Assurance (LoAs) BoF (co­scheduled with Grid Federated Identity SF)
● Towards Data Grid Standards (GFS Community Update) (GFS­WG)
● Towards Data Grid Standard Implementations (GFS community work) (GFS­WG)
● IGTF
● CAOPS WG – Now co­author on the Grid Certificate Profile document
● OGSA­AuthN Charter BoF (OGSA­AuthN Charter BoF) – interfacing SAML to Grids
● WS­Naming (OGSA­NAMING­WG) ­tourism (not quorate so became a tutorial)
●
●
The Storage Resource Management standard proposal – the Core version (GSM­WG) JSDL working sessions
The LoA BoF was well attended and a draft charter was formulated for a new Research Group. Two potential documents were identified as outputs: 1) The identification of the criteria that go into LoA assessment and risk vs perceived gap; a gathering of use­cases; 2) Then identification of the gaps between NIST standands etc. and grid usage of identity assertions.
CA­OPS: Experience from writing a perl Library VOMS::Lite which can create X509, GSI proxy and VOMS attribute certificates has given me a deep insight into how Grid Certificates are constructed and used. This was fed back into the Certificate Profile document and I have subsequently become a co­author on this document.
GSM­WG: I attended the SRM tutorial and subsequent discussion. SRM specification is currently at version 2 but this is not in the OGF documents track. SRM v3 will be in the OGF documents track but is currently waiting for a reference implementation before work starts on this. There is no SRM for SRB; although work had been done towards the development of one by the “european group” it is now stopped because SRB does not support some basic SRM minimum requirements (esp. reservation of storage space). A group from Tiawan is currently revisiting this but the state of this work is unknown.
Report of activities at OGF 20 – Manchester
The main purposes of my attendance to this OGF was to participate in the LoA BoF, to man the NGS and Manchester booths.
Parallel sessions attended:
● OGSA­Authz (OGSA­AUTHZ­WG)
● LoA­RG
● Joint Session on Information Modeling for Computing Resources (GLUE­WG)
● JSDL General (JSDL­WG)
● JSDL 1,0 Extensions (JSDL­WG)unfortunately co­scheduled with the Workshop on heuristics for implementing semantic knowledge yardsticks .
● GIN
● Dynamic Service Level Agreements
● CAOPS Session (CAOPS­WG) – yet another long discussion about DN namespaces; and decision to drop OCSP) ● gLite
LoA­RG: The two documents to be produced were identified: “A risk analysis in relation to LoA and use case gathering in an e­Science context.”, “A gap analysis of current LoA definitions versus LoA requirements in e­Science/Grid context.”. The group continued by discussing various authentication scenarios and identifying the areas relevant to LoA.
The work on LoA was further propagated to the grid community through the circulation of the ES­LoA questionnaire in various relevant sessions.
Outside of meetings I was involved in various discussions. In particular one with David Groep, David Charwick and Frank Siebenlist regarding current and future authorisation mechanics in Globus based grids. In specific the ability to include uid/gid assertions in authorisation engines such as LCMAPS and GUMS. DG also highlighted issues relating to the existence of GIDs and UIDs on back end nodes.
Unfortunately I was unable to make it to the Workshop on heuristics for implementing semantic knowledge yardsticks which was rescheduled .
Download